RE: [PHP] How to open random Flash page with hyperlink?

2003-08-26 Thread Cody Phanekham 
Curt,

Your absolutely right it is a security hole, however the response was a quick solution 
without much thought in regards to the security integrity of the script.

> -Original Message-
> From: Curt Zirzow [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 26 August 2003 01:04
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] How to open random Flash page with hyperlink?
> 
> 
> * Thus wrote Cody Phanekham ([EMAIL PROTECTED]):
> > Murugesan,
> > 
> > main.php:
> >  > session_name("mysessionname");
> > session_start();
> > if (!$s_authed) // check access
> > {
> >   // user hasnt been authorised, therefore redirect to login page
> 
> This is exactly why register globals is turned off by default now.
> 
> This is a major security hole, I can simply put in the url:
>   http://host/main.php?s_authed=1
> 
> And I would be considered authenticated, throughout the site.
> 
> Please turn register_globals off and use the $_SESSION variable to
> access your session vars.
> 
> 
> Curt
> -- 
> "I used to think I was indecisive, but now I'm not so sure."
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 


*
This e-mail, including any attachments to it, may contain confidential and/or personal 
information.
If you have received this e-mail in error, you must not copy, distribute, or disclose 
it, use or take any action 
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then delete the 
original e-mail.

The information contained within this e-mail may be solely the opinion of the sender 
and may not necessarily 
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Salmat's 
anti-virus systems.

For more information, visit our website at  www.salmat.com.au.
*

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to open random Flash page with hyperlink?

2003-08-25 Thread Curt Zirzow 
* Thus wrote Cody Phanekham ([EMAIL PROTECTED]):
> Murugesan,
> 
> main.php:
>  session_name("mysessionname");
> session_start();
> if (!$s_authed) // check access
> {
>   // user hasnt been authorised, therefore redirect to login page

This is exactly why register globals is turned off by default now.

This is a major security hole, I can simply put in the url:
  http://host/main.php?s_authed=1

And I would be considered authenticated, throughout the site.

Please turn register_globals off and use the $_SESSION variable to
access your session vars.


Curt
-- 
"I used to think I was indecisive, but now I'm not so sure."

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to open random Flash page with hyperlink?

2003-08-25 Thread murugesan 
Really thanks for the support. It worked well.

-regards,
Murugesan

- Original Message -
From: "Cody Phanekham" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 25, 2003 11:06 AM
Subject: RE: [PHP] How to open random Flash page with hyperlink?


Murugesan,

I'll assume your redirecting the user to main.php because (s)he has passed
the authentication routine... in that case just store the username and
password as a session variable that way you wont need to pass the username
and password via the url.

auth.php, [just before the call to header()]:


then in main.php you need to start your session to access the session
variables
your employee id = $empid and the password you typed was $pwd";
?>


> -Original Message-
> From: murugesan [mailto:[EMAIL PROTECTED]
> Sent: Monday, 25 August 2003 15:18
> To: Cody Phanekham; [EMAIL PROTECTED]
> Subject: Re: [PHP] How to open random Flash page with hyperlink?
>
>
> Thanks for the information.
> In the code you provided
>
> if ((!$passwd) || (!$username)) // user hasnt logged in
>  {
>   .
>
> Actually I have implemented this in a separate page.
>
> That is upon sign up of the  in the index page
> I call a new page auth.php
> In that file
> I have done this authentication and called the function
> header ("Location: /main.php?empid=$empid&pwd=$pwd");
>
> Actually when passing this URL the password appears in the
> address bar.
> How to over come this? It will be very much usefull if I get
> the answer.
>
> Thanks in advance
> -Murugesan
> --
> --
> --
> --
> -
> Ok lets say you want every user to login before they can
> access other parts
> of your site.
>
> index.php:
>  session_name("mysessionname");
> session_start();
> session_register("s_authed");
> $s_authed = 0; // initialize session flag
>
> if ((!$passwd) || (!$username)) // user hasnt logged in
> {
>   // display login form
>   ...
> }
> else
> {
>   // retrieve database username and password here
>   ...
>   // check if they match
>   if (($db_passwd == $passwd) && ($db_username == $username))
>   {
> $s_authed = 1; // user has been authorised
> // redirect to real page
> echo "
> 
>   window.location='main.php'
> ";
>   }
> }
> ?>
>
> main.php:
>  session_name("mysessionname");
> session_start();
> if (!$s_authed) // check access
> {
>   // user hasnt been authorised, therefore redirect to login page
>   echo "
>   
> window.location='index.php'
>   ";
> }
> else
> {
>   // display page
>   ...
> }
> ?>
>
>
> if a user tries to access main.php directly without logging
> in they will be
> redirected to index.php
>
> checkout http://www.php.net/manual/en/ref.session.php for
> more information
>
>
> >
> >
> > Thanks for the message.
> > Can you please tell me how to do session authentication?.
> >
> > -murugesan
>



*
This e-mail, including any attachments to it, may contain confidential
and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or
disclose it, use or take any action
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then
delete the original e-mail.

The information contained within this e-mail may be solely the opinion of
the sender and may not necessarily
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to
Salmat's anti-virus systems.

For more information, visit our website at  www.salmat.com.au.

*

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] How to open random Flash page with hyperlink?

2003-08-25 Thread Cody Phanekham 
Murugesan,

I'll assume your redirecting the user to main.php because (s)he has passed the 
authentication routine... in that case just store the username and password as a 
session variable that way you wont need to pass the username and password via the url.

auth.php, [just before the call to header()]:


then in main.php you need to start your session to access the session variables
your employee id = $empid and the password you typed was $pwd";
?>


> -Original Message-
> From: murugesan [mailto:[EMAIL PROTECTED]
> Sent: Monday, 25 August 2003 15:18
> To: Cody Phanekham; [EMAIL PROTECTED]
> Subject: Re: [PHP] How to open random Flash page with hyperlink?
> 
> 
> Thanks for the information.
> In the code you provided
> 
> if ((!$passwd) || (!$username)) // user hasnt logged in
>  {
>   .
> 
> Actually I have implemented this in a separate page.
> 
> That is upon sign up of the  in the index page
> I call a new page auth.php
> In that file
> I have done this authentication and called the function
> header ("Location: /main.php?empid=$empid&pwd=$pwd");
> 
> Actually when passing this URL the password appears in the 
> address bar.
> How to over come this? It will be very much usefull if I get 
> the answer.
> 
> Thanks in advance
> -Murugesan
> --
> --
> --
> --
> -
> Ok lets say you want every user to login before they can 
> access other parts
> of your site.
> 
> index.php:
>  session_name("mysessionname");
> session_start();
> session_register("s_authed");
> $s_authed = 0; // initialize session flag
> 
> if ((!$passwd) || (!$username)) // user hasnt logged in
> {
>   // display login form
>   ...
> }
> else
> {
>   // retrieve database username and password here
>   ...
>   // check if they match
>   if (($db_passwd == $passwd) && ($db_username == $username))
>   {
> $s_authed = 1; // user has been authorised
> // redirect to real page
> echo "
> 
>   window.location='main.php'
> ";
>   }
> }
> ?>
> 
> main.php:
>  session_name("mysessionname");
> session_start();
> if (!$s_authed) // check access
> {
>   // user hasnt been authorised, therefore redirect to login page
>   echo "
>   
> window.location='index.php'
>   ";
> }
> else
> {
>   // display page
>   ...
> }
> ?>
> 
> 
> if a user tries to access main.php directly without logging 
> in they will be
> redirected to index.php
> 
> checkout http://www.php.net/manual/en/ref.session.php for 
> more information
> 
> 
> >
> >
> > Thanks for the message.
> > Can you please tell me how to do session authentication?.
> >
> > -murugesan
> 


*
This e-mail, including any attachments to it, may contain confidential and/or personal 
information.
If you have received this e-mail in error, you must not copy, distribute, or disclose 
it, use or take any action 
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then delete the 
original e-mail.

The information contained within this e-mail may be solely the opinion of the sender 
and may not necessarily 
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Salmat's 
anti-virus systems.

For more information, visit our website at  www.salmat.com.au.
*

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to open random Flash page with hyperlink?

2003-08-25 Thread murugesan 
Thanks for the information.
In the code you provided

if ((!$passwd) || (!$username)) // user hasnt logged in
 {
  .

Actually I have implemented this in a separate page.

That is upon sign up of the  in the index page
I call a new page auth.php
In that file
I have done this authentication and called the function
header ("Location: /main.php?empid=$empid&pwd=$pwd");

Actually when passing this URL the password appears in the address bar.
How to over come this? It will be very much usefull if I get the answer.

Thanks in advance
-Murugesan


-
Ok lets say you want every user to login before they can access other parts
of your site.

index.php:

  window.location='main.php'
";
  }
}
?>

main.php:

window.location='index.php'
  ";
}
else
{
  // display page
  ...
}
?>


if a user tries to access main.php directly without logging in they will be
redirected to index.php

checkout http://www.php.net/manual/en/ref.session.php for more information


>
>
> Thanks for the message.
> Can you please tell me how to do session authentication?.
>
> -murugesan

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] How to open random Flash page with hyperlink?

2003-08-25 Thread Cody Phanekham 
Murugesan,

Ok lets say you want every user to login before they can access other parts of your 
site.

index.php:

  window.location='main.php'
";
  }
}
?>

main.php:

window.location='index.php'
  ";
}
else
{
  // display page
  ...
}
?>


if a user tries to access main.php directly without logging in they will be redirected 
to index.php

checkout http://www.php.net/manual/en/ref.session.php for more information


> -Original Message-
> From: murugesan [mailto:[EMAIL PROTECTED]
> Sent: Friday, 22 August 2003 20:04
> To: Cody Phanekham; [EMAIL PROTECTED]
> Subject: Re: [PHP] How to open random Flash page with hyperlink?
> 
> 
> Thanks for the message.
> Can you please tell me how to do session authentication?.
> 
> -murugesan


*
This e-mail, including any attachments to it, may contain confidential and/or personal 
information.
If you have received this e-mail in error, you must not copy, distribute, or disclose 
it, use or take any action 
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then delete the 
original e-mail.

The information contained within this e-mail may be solely the opinion of the sender 
and may not necessarily 
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Salmat's 
anti-virus systems.

For more information, visit our website at  www.salmat.com.au.
*

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to open random Flash page with hyperlink?

2003-08-22 Thread murugesan 
Thanks for the message.
Can you please tell me how to do session authentication?.

-murugesan
- Original Message -
From: "Cody Phanekham" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 22, 2003 10:05 AM
Subject: FW: [PHP] How to open random Flash page with hyperlink?


-Original Message-
> From: murugesan [mailto:[EMAIL PROTECTED]
>  some more changes
>  
>  

Murugesan,

both ways are correct. Its just that i'm used to using the short open tag :)


<http://au.php.net/manual/en/configuration.directives.php#ini.short-open-tag
>
http://au.php.net/manual/en/configuration.directives.php#ini.short-open-tag


short_open_tag  <http://au.php.net/manual/en/language.types.boolean.php>
boolean


Tells whether the short form () of PHP's open tag should be allowed. If
you want to use PHP in combination with XML, you can disable this option in
order to use  inline. Otherwise, you can print it with PHP, for
example: . Also if disabled, you must
use the long form of the PHP open tag ().

Note: This directive also affects the shorthand mailto:[EMAIL PROTECTED]>
[EMAIL PROTECTED]>
To: <  <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]>
Sent: Friday, August 22, 2003 9:32 AM
Subject: RE: [PHP] How to open random Flash page with hyperlink?


Phillip,

pretty close. only a few things that are missing/incorrect.
my corrections are marked by a #


> -Original Message-
> From: Phillip Pang [mailto:[EMAIL PROTECTED]
> // random_menu.html
> 
>  $i = rand(0,3);
> ?>
> 
>
> 
> http://www.x.com/random.php?i=$i>
www.x.com/random.php?i=$i">x
# you need to go back to php mode to use $i
http://www.x.com/random.php?i> www.x.com/random.php?i=">x

> 
>
> ---
>
> // random.php
> 
>  $i = $_post["i"];
# im pretty sure the value would be past via the GET method as the user
would be clicking the hyperlink, so it should look like
$i = $_GET["i"];

>
> if ($i = = 0){
# there shouldnt be any spaces for the comparison
if ($i == 0){

> $value = "a";
> }
> else if ($i = = 1){
# there shouldnt be any spaces for the comparison
else if ($i == 1){

> $value = "b";
> }
> ...etc.
# dont forget to get out of php mode
?>

> 
>
> 
> 
> 
# need to go back to php mode to use $value
 

> 
# need to go back to php mode to use $value
 

> 
> 
>
> Please help if you know how to do this. Thanks in advance.
>
> phil*

-murugesan




*
This e-mail, including any attachments to it, may contain confidential
and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or
disclose it, use or take any action
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then
delete the original e-mail.

The information contained within this e-mail may be solely the opinion of
the sender and may not necessarily
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to
Salmat's anti-virus systems.

For more information, visit our website at  www.salmat.com.au.

*


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to open random Flash page with hyperlink?

2003-08-21 Thread murugesan 
Hello 
some more changes
 
 

-murugesan

- Original Message - 
From: "Cody Phanekham" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, August 22, 2003 9:32 AM
Subject: RE: [PHP] How to open random Flash page with hyperlink?


Phillip,

pretty close. only a few things that are missing/incorrect.
my corrections are marked by a #


> -Original Message-
> From: Phillip Pang [mailto:[EMAIL PROTECTED]
> // random_menu.html
> 
>  $i = rand(0,3);
> ?>
> 
> 
> 
> x
# you need to go back to php mode to use $i
x

> 
> 
> ---
> 
> // random.php
> 
>  $i = $_post["i"];
# im pretty sure the value would be past via the GET method as the user would be 
clicking the hyperlink, so it should look like
$i = $_GET["i"];

> 
> if ($i = = 0){
# there shouldnt be any spaces for the comparison
if ($i == 0){

> $value = "a";
> }
> else if ($i = = 1){
# there shouldnt be any spaces for the comparison
else if ($i == 1){

> $value = "b";
> }
> ...etc.
# dont forget to get out of php mode
?>

> 
> 
> 
> 
> 
# need to go back to php mode to use $value
 

> 
# need to go back to php mode to use $value
 

> 
> 
> 
> Please help if you know how to do this. Thanks in advance.
> 
> phil*

-murugesan

RE: [PHP] How to open random Flash page with hyperlink?

2003-08-21 Thread Cody Phanekham 
Phillip,

pretty close. only a few things that are missing/incorrect.
my corrections are marked by a #


> -Original Message-
> From: Phillip Pang [mailto:[EMAIL PROTECTED]
> // random_menu.html
> 
>  $i = rand(0,3);
> ?>
> 
> 
> 
> x
# you need to go back to php mode to use $i
x

> 
> 
> ---
> 
> // random.php
> 
>  $i = $_post["i"];
# im pretty sure the value would be past via the GET method as the user would be 
clicking the hyperlink, so it should look like
$i = $_GET["i"];

> 
> if ($i = = 0){
# there shouldnt be any spaces for the comparison
if ($i == 0){

> $value = "a";
> }
> else if ($i = = 1){
# there shouldnt be any spaces for the comparison
else if ($i == 1){

> $value = "b";
> }
> ...etc.
# dont forget to get out of php mode
?>

> 
> 
> 
> 
> 
# need to go back to php mode to use $value
 

> 
# need to go back to php mode to use $value
 

> 
> 
> 
> Please help if you know how to do this. Thanks in advance.
> 
> phil*

hope that helps

Cody


*
This e-mail, including any attachments to it, may contain confidential and/or personal 
information.
If you have received this e-mail in error, you must not copy, distribute, or disclose 
it, use or take any action 
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then delete the 
original e-mail.

The information contained within this e-mail may be solely the opinion of the sender 
and may not necessarily 
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Salmat's 
anti-virus systems.

For more information, visit our website at  www.salmat.com.au.
*


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php